Symmetric Encryption: The Password Problem

Folks at Wachovia recently decided that all the confidential information they exchange with contractors and field examiners via email and the internet must be encrypted using at least 128 bit AES. Good for them! I applaud this move but then I realized that human stupidity can turn even best security practices to a mere farce.

I think that Wachovia really evaluated this problem realistically and chose the the method that was easiest to implement without forcing their contractors to spend a lot of money on software and/or training. Both 128 bit and 256 bit AES implementation is built into WinZip. That of course means you need to buy WinZip at the $20 a pop, but surprisingly enough most businesses do. It always amazes me that the company forces us to install WinZip on new machines despite the fact XP has a built in zip file support. At least we now have a reason why to use it. :P

It’s a good policy, but there is a problem here:

Hey, here is the file you requested. I encrypted it with winzip like you asked. I set the password to be “password”. In case you can’t open this file, I’m also attaching the original word document.

This, ladies and gentlemen is why the suicide rate among IT professionals is so high. Also, this is why you should be terrified when someone asks you to give them your personal information. Think about it – that at some point your social security number, address and credit record will be handled by this guy above. There is no way around it. A person like that works at almost every company – even yours. Dangerous information handling practices are commonplace, and data leaks are imminent. It scares the living shit out of me, but there is not much I can do about this. Or rather I can only try to improve security practices at my company, and hope others will do the same (they wont).

There are two ways you can handle encryption. The easy way is via symmetric encryption like AES which requires little or no infrastructure or forethought. To send data between Bob and Alice they both simply need the encryption/decryption software and the key in a form of a pass phrase that can be exchanged over the phone for example. Of course exchanging pass phrases for each document is a pain in the ass, so Bob and Alice will likely use the same one for all their correspondence. Since Alice will need to share this data with her coworkers, they will probably all use the same password for all correspondence with just about everyone. So whether they are working with Bob, or Eve or someone else they will use the very same common password.

What is that password? You have 3 guesses!

The password naturally is Alice’s company name written as one word in lowercase. If Alice’s boss is especially security conscious it will be the company name followed by a single number. And no, I’m not making this up. I actually seen this happen. Given a choice, lusers will pick a password that is easiest to remember or figure out, and by that virtue the least secure. This is the huge problem with symmetric encryption. You can educate the users, you can beat them up, threaten them or reason with them. But when you are not looking they will invent new clever ways to circumvent company security policies – or at least make them ineffective. And it’s not like it is some kind of secretive “fool the sysadmin” club. That would actually be cool – that I would respect. But no, this is just like an impenetrable wall of stupidity that shields them from common sense and reason.

The alternative of course is asymmetric encryption which removes the password choice from the equation. But it has it’s own limitations – namely, it is a pain in the ass to implement, deploy and train your stuff. Optimistically speaking I think we can get somewhere within 50-60% of our staff trained to use the winzip AES properly within a few months if we get a go-ahead for rapid forceful insertion of knowledge into the cranial cavity using blunt tolls. It would be faster if I was training orangutans for example, because they are not inherently afraid of technology. Humans unfortunately are – they seem to consider it a mysterious mystical force that cannot be comprehended by anyone sans a super-intelligent and yet socially inept nerds. Learning technology is naturally out of the question. Not only is it not possible to understand this stuff without the born-in nerd gene, but forcing that knowledge upon you apparently can cause severe brain damage.

So you can clearly see why blunt tools are necessary. We need to convince them that the brain damage will take place either way. Learning simply hurts less.

But public key encryption is such a foreign and incomprehensible subject. It’s like a high level arcane magic. Hell, for that stuff you need to have like a PHD in Jedi Mastery to even begin to understand it. When you start talking about public and private keys, exchanging and signing them, key rings and key servers you can see your user’s expression change from “LOL, they be trying to teach me magic but it wunt work” to “OMG! My head is about to explode”. By the time you are finished you can see pure fear in their eyes. Most go into catatonic for hours afterwards. Some never recover.

And of course after you spend many many hours configuring everyone’s email, generating keys and training people to use them, without fail someone will send their private key company mailing list.

Generally speaking I believe that an asymmetric public key approach is intrinsically less prone to human error (like for example choosing a weak password) but it is also more costly to implement. Costly both in man hours, as well as licensing. If you choose to go with PGP you are looking at around $200 per license. You could go with GnuPG naturally but it does not have the brand name weight, and it is slightly rougher around the edges – which ends up being a huge deal when you hand it to users who are terrified of computers as it is.

Don’t you just love it how this is a fucking never ending struggle. We really need policies like that, but the policies are half the battle. The other half is the long and painful process of IT beating the users into submission to enforce them.

I have set up Thunderbird with Enigmail for my wife’s office, and it works fine with very little education. She has to type in her passphrase once in a while (Enigmail has an internal cache and timeout), and everything else, including key servers, is managed behind the stage.

Enigmail is great. Most of my co-workers are Outlook addicts though. :P

What is she using encryption for though? Is it just to email back and forward with you or is this organization wide thing?

I guess the deployment process is the main problem here. Does anyone work in a company which has a strict PGP/GPG email policy? Does it work? How do you deploy it? Do you generate keys for people? Do you run an in-house key server?

Both 128 bit and 256 bit AES implementation is built into WinZip. That of course means you need to buy WinZip at the $20 a pop

AES is an open standard, isn’t it? Whatever the reason WinZip is charging you $20 per install, that’s not it.

As for GnuPG being rough around the edges, picking the right (graphical) front-end can go a long way. And there are plenty of plug-ins for other applications (including proprietary ones, like Outlook) that’ll play nice with GnuPG. It’s just a matter of some research.
I’ve found that trying to educate users on the topic of cryptography is often wasted effort, but threatening to take their computer privileges away if they don’t press the “encrypt” button someone was nice enough to preconfigure for them works at least half the time.

Yeah, AES is open. Winzip charges arm and a leg cause they are greedy. Unfortunately this is also an application that users are intimately familiar with and use on daily basis. So Winzip seems a logical choice – brining in some new encryption app would add confusion but it is not out of question.

I admit GPG is only useful if people on both sides use it. I have an automation to create a GPG key if I add a new user on the linux server, and I have an automated Thunderbird setup (all windows clients run freesshd, so this is a matter of a simple scp).
Currently all outgoing mail is signed by default, but not encrypted. I wish the medical laboratories we make business with could be convinced to encrypt emails with sensitive medical data …

You are spot on about the fear of technology with users. I work in a school district and teachers are one of the hardest groups to teach anything to. We had our first password change in three years and a month later we are still reseting passwords. We sent out pictures, with step by step directions about the change, which would only require the users to change their passwords after the have logged in. Users are still complaining about having to memorize a new password. People tape the password to their monitors and students are logging in as a teacher and causing chaos. I am not kidding when yesterday, i had to show a teacher how to use a flash drive and a fourth grade special ed student was making fun of the teacher who couldn’t use it. People are sometimes ashamed to admit that they don’t know something, this is human nature. I shudder to think of the weak passwords that “protect” so much sensitive data in schools. The password change was started because a administrator at a high school had a password of password, and a student logged in as that user and made a event on the school web page for national penis day. The administrator could not understand how “a hacker” could do that and that we could not find out who it was. Our network admin and our director of IT tried to explain how a smart kid(or a dumb one) could guess his password and failed to impart understanding of this simple concept of social engineering and a secure password. Or those who set their password to their first name, which students know. Basically only 1/3 of users have a password that a student or staff member couldn’t guess or read off of a post-it note.
And we are talking about Phd’s and Master Degrees required for these jobs. The irony of educators not willing to learn is staggering.

I wish getting users to encrypt their communication was our only problem. We also have issues getting them to backup THEIR data. I’m talking about a weekly backup to another disk of stuff THEY need, not me, I don’t care for it to be honest with you. Well, let me clarify that…I care for the university/college private data (admin info, student/employee info, budgets,…), but I really couldn’t care less about photos they took of stupid orange gates in Central Park last year (or was it two years ago?).

On the other hand, some system admins at times have trouble syncing SSL certs on their servers which is also very frustrating and annoying. Policies are important but the real progress can only be made with right people in right places (IT) and user education. They need to understand why this is important, not to look at is as another thing IT folks came up with to make their lives more difficult.

Well, I found out that the best way to teach people about backups is to do it the hard way. You give them bunch of memory sticks, or an external HD and show them how to use it. Then you tell them – back up your data as often as you can.

If they don’t they are the ones who will lose work and get chewed out by the boss.

The main office here is OK because 90% of our data is located on the 2 windows servers. They are set up with DFS replication so the network shares are essentially mirrored in real time. Both servers are RAID 1, and there is a nightly backup to the tape on a weekly rotation. I usually take one of the tapes offsite at night.

The desktops are not backed up but users simply use their local drives as temporary working area and then drop the files on the network shares where others can access it. It works out well and it is a pretty solid setup.

The field employees are a whole other story. They are the problem children.

But you are right – user education is important. But you can only educate people who care enough to listen or are able to understand the significance of what you are saying.

Yeah, centralized data is on servers and backed up here as well. But their individual data is a whole other issue. Yeah I know it’s personal, but somehow it always ends up being our responsibility to try to recover.

I think that this happens due to the main difference between your users and mine – tenure. Enough said. :(

Actually, your are right. It depends on the users. If it’s just a random employee then it’s their fault for not backing up. If it’s a director or one of the “golden boys” who can do no wrong in the eyes of the powers that be, then it’s my fault for not trying hard enough to recover it, or for not maintaining the machines well enough to prevent this from happening.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page.Click here for instructions on how to enable JavaScript in your browser.